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(g) A method is disclosed for providing user 
access control for a plurality of resource 
objects within a distributed data processing 
system having a plurality of resource managers. 
A reference monitor service is estat)lished and a 
plurality of access control profiles are stored 
therein. Thereafter, selected access control pro- 
files are exchanged between the reference 
monitor service and a resource manager in 
response to an attempted access (82) of a par- 
ticular resource object controlled by that re- 
source manager. The resource manager may 
then control access to the resource object by 
utilizing the exchanged access control profile 
(86-98). In a preferred embodiment of the pre- 
sent invention, each access control profile may 
include access control infonnation relating to a 
selected user; a selected resource object; a 
selected group of user ; a selected set of resour- 
ce objects ; or, a predetermined set of resource 
objects and a selected group of users. 
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@ A method is disclosed for providing user access control for a plurality of resource objects within a 
distributed data processing system having a plurality of resource mainagers. A reference monitor service 
is established and a plurality of access control profiles are stored therein. Thereafter, selected access 
control profiles are exchanged between the reference monitor service and a resource manager in 
response to an attempted access (82) of a particular resource object controlled by that resource 
manager. The resource manager may then control access to the resource object by utOizing the 
exchanged access control profile (86-98). In a preferred emtKxiinr^nt of the present invention, each 
access control profile may include access control information relating to a selected user; a selected 
resource object ; a selected group of user ; a selected set of resource objects ; or, a predetermined set 
of resource objects and a selected group of users. 
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METHOD FOR PROVIDING USER ACCESS CONTROL WITHIN A DISTRIBUTED DATA PROCESSING 
SYSTEM BY THE EXCHANGE OF ACCESS CONTROL PROFILES 



The present invention relates to data processing 
systems in general and in particular to improved 
methods of providing access control for a plurality of 
resource objects within a distributed data processing 
system. Still more particulariy, the present Invention 
relates to a system which permits the rapid and effi- 
cient interchange of * access * control information 
throughout a distributed data processing system. 

Security and access control systems in computer 
based data processing systems are well known in the 
prior art Existing access control systems are gener- 
ally oriented to a single host systenrt Such single host 
access control systems are generally utilized to pro- 
vide security for the host and access control to appli- 
cations and system resources, such as files. Each 
application must generally provide access coritrd for 
the resources controlled by that application. 

One example of an access control system desig- 
ned for utilization with the IBM 370 system is a product 
called RACF, or Resource Assets Control Fadlity. 
RACF offers access control for applications, such as 
files or CICS transactions and is hierarchically orien- 
ted in access authority levels and grouping of users. 
RACF is a "password* oriented access control system 
and access is granted or denied based upon a user's 
individual identity and his or her knowledge of an 
appropriate password to . verify that identity. The 
RACF systeni is, however, qriented to a single host 
system and cannot be employed in a distributed data 
processing system which employs multiple hosts 
associated with separate groups of resource objects, 
due to the fact that this 'system does not allow the 
interchange of access' control information from one 
host to another:' 

Another example of known iaccess control sys- 
tems is AS/400. The AS/400 system is a capability 
based system in which security is based upon each 
individual resource object Each user is authorized to 
access individual resource objects based upon the 
user's capability within the system. The AS/400 sys- 
tem maintains security by keeping User Profiles, 
Object Authority, and System Values within the 
architecture of the machine itself. As above, this sys- 
tem is highly effident at controlling access tio resource 
objects controlled by a single host ; however, access 
to resource objects located within a distributed data 
processing system containing multiple hosts cannot 
be controlled. That is, access to a resource object 
controlled by one host cannot be obtained by a user 
enrolled at a second host 

One other example of an access control system 
is the DB2 product This product permits a more flexi- 
ble access control and offers granular or bundled 
access control authority. For example, the DB2 sys- 



tem may utilize special authorities for administration 
or database operatk>ns. Further, access privQege may 
be bundled into a specified authority or role so that a 
user may access specific resource objects based 
5 upon the user's titie or authority level, rather than the 
user's personal kientity. However, as above, the DB2 
- * system does not possess the capability of exchanging 
access control information with non-DB2 applications. 
Therefore, it should be obvk>us that a need exists 
10 for a method of providing access control in a distri- 
buted data processing system whereby access to 
. selected resource objects may be oontrplleld ttirough- 
out the distributed data processing system by means 
of the exchange of access control information 
IS throughout the system. 

It is therefore one object of the present invention 
to provide an improved data processing system. 

It is another object of the present invention.tb pro- 
vide an improved method of provkjing access cpntrpi 
20 . for a plurality of resource objects within a distributed 
data processing system. il. . J 

It is yet another object of the present invention to 
provide an improved method of providing access con- 
trol for a plurality of resource objects within a.distri- 
25 buted data processing system which penmits tfie rapkl 
and efficient interchange of access control infor- 
mation throughout a distributed data.prooessing sys- 

The foregoing objects are achieved as. is 'now 

30 described. The method of the present invention ira 
be utilized to provkje user access ooritrol for a pluri^ity 
of resource objects within a distributed data proces- 
sing system having a plurality of resource managers. 
A reference monitor service is established iahd a 

35 plurality of access control profiles are stored therein. 
Thereafter, selected access control profiles are 
exchanged between the reference monitor service 
and a resource manager in response to an attempted 
access of a particular resource object controlled by 

40 that resource manager. The resource manager nriay 
then control access to the resource object by utilizing 
the exchanged access control prof9e. In a prefenred 
embodiment of the present invention, each access 
control profile may Include access control information 

45 relating to a selected user; a selected resource 
object ; a selected group of users ; a selected set of 
resource objects ; or, a predetermined set of resource 
objects and a selected list of users each authorized to 
access at least a portion of said predetermined ^t of 

so resource objects. 

The novel features believed characteristic of the 
invention are set forth in the appended dainfisl The 
invention itself however, as well as a prefenred mode 
of use, further objects and advantages thereof, will 
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best be understood by reference to the following 
detailed description of an illustrative embodiment 
when read in conjunction with the accompanying 
drawings, wherein : 

Figure 1 depicts a pictorial representation of a dis- 
tributed data processing system which may be 
utilized to implement the method of the present 
invention ; 

Rgure 2 depicts In block diagram form the access 
control system utilized with the method of the pre- 
sent invention ; 

Figure 3 is a high level flow chart depicting the 
establishment of an access control system In 
accordance with the method of the present inven- 
tion ; and 

Figure 4 is a high level flow chart depicting acciess 

to a resource object in accordance with the 

method of the present invention. 

With reference now to the figures, and in particu- 
lar with reference to Figure i . there is depicted a pic- 
torial representaition of a data processing system 8 
which may be utilized to implement the method of the 
present invention. As may be seen, data processing 
system 8 may include a plurality of networks, siich as 
Local Area Networks (LAN) 10 and 32. each of which 
preferably includes a plurality of individual computers 
12 and 30, respectively. Of course, those skilled in the 
art will api>reciate that a plurality of Interactive Work 
Stations (IWS) coupled to a hbst prbdessor hiky be 
utilized for each such network. 

As Is corhmoh in such data probessing systems, 
each ind Widual computer may be coupled to a stoiBge 
device 14 and/dr ia printer/output device 16. One or 
more such storalge devices 14 may be utilized, in 
accordance with the me^^ of the present inventi'^^ 
to store apprications or resource objects which may 
be periodically accessed by any user within data pro- 
cessing system 8. In a manrier welj known in tfie prior 
art, each such application or resource object stored 
within a storage device 14 is associated with a 
Resource Manager, which is responsible for maintain- 
ing and updating all resource objects iassociated 
therewith. 

Still referring to Figure 1 , it may be seen that data 
processing network 8 may also Indude multiple main 
frame computers, such as main frame computer 18, 
which may be preferably coupled to Local Area Net- 
work (LAN) 10 by means of communications link 22. 
Main finanrie computer 18 may also be coupled to a 
storage device 20 which may serve as remote storage 
for Local Area Networic (LAN) 10 . Similarly. Local 
Area Network (LAN) 1 0 may be coupled via communi- 
cations link 24 through a subsyistem control 
unit/communications controller 26 and communi- 
cations link 34 to a gateway server 28. Gateway ser- 
ver 28 is preferably an individual computer or 
interactive Work Station (IWS) which serves to link 
Local Area Network (LAN) 32 to Local Area Network 



(LAN) 10, 

As discussed above with respect to Local Area 

5 Network (LAN) 32 and Local Area Networic (LAN) 1 0, 
resource objects may be stored within storage device 
20 and controlled by main frame computer 18. as 
resource manager for the resource objects thus 
stored. Of course, those skilled in the art will 

10 appreciate that main frame computer 18 may be 
located a great geographic distance from Local Area 
Network (LAN) 10 and simiiariy Local Area Network 

- '(LAN) 10 may be located a-substantiat distance from 

Local Area Network (LAN) 32. That Is. Local i^ea Not- 
ts work (LAN) 32 may be Ideated In California while 
Local Area Network (LAN) 10 may be located within 
Texas and mairi frame computer 18 rm^ be located 
in New York. V 

In known prior art systems of this type, shbiiici ^e 

20 user of an individual computer 30 desire to accesis a 
resource object stored within storage device^ 20. 
associated with main frariie computer 18.1t wBI be 
necessary for the user of computer 30 to be enrolled 
within the security system of main firarne computer 1 8. 

25 This is necessary in order for the user of computer 30 
to present the proper password to obtain accesis jio the 
desired resource objecL Of course, those skilled In 
the art will appreciate that this technique will prove 
ungainly in distributed data processing systerns. s^iich 

30 as data processing s^tem 8 depicted within Figure 1 . 

Refem'ng now to Figure 2, there ks depicted in 
block diagram form the access control system which 
is utilized with the method of the present inyentloii^^ 
is depicted. Local Ar^ Networks (LAN) l O ^nd 3;2 are 

35 Illustrated by dashed lines ais is rnain frame computer 
18. In each instance resource objects 42, 4i3 aind"54 
are illustrated in associatiori with each portion of dis- 
tributed data processing systern 8 of Figure ti Of 
course, each object thus illustrated will be stored 

40 withiri one or more storage devices associaited with 
each portion of data processing systerii 8. As Is illus- 
trated. Local Area Network 10 includes a resource 
manager 40 which may be one or more individual 
computers which are utilized to manage selected 

45 resource objects. Also established within Local Area 
Networic 10 is a Reference Monitor 44. Reference 
Monitor 44, in accordance with the method of the pre- 
sent invention, is an application or service which is 
utilized to store access control profiles which rriay 

50 Include access control information relating to : selec- 
ted users ; selected resource objects ; a selected 
group of users ; a selected set of resource bbjects ; 
or, a predetermined set of resource objects and a 
selected list of users, each authorized to accesis at 

55 least a portion of said predetemiined set of resource 
objects. 

Still referring to Figure 2. It may be seen ttiat 
wittiin iJocal Area Network (LAN) 33 a resource rnian- 
ageir 46 is illustrated, which is utilized, in a manner 
well known In the art, to control access to resouifce 
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object 48. Similarly, a Reference Monitor 50 is 
established within Local Area Network (LAN) 32. 
Reference Monitor 50 is, as described above, prefer- 
ably utilized to store access control profiles relating to 
Individual users within Local Area Network 32 as well 
as resource objects stored within Local Area Network 
32. 

Finally, main frame computer 18 is illustrated as 
including a resource manager 52 which has 
associated therewith one or more resource objects 
64. 

In accordance with an important feature of the 
present invention, any attempted access of a 
resource object, such as resource object 42, 48 or 54 
will automatically result In a query by the associated 
resource nr^nager to one or more Reference Monitor 
applications to determine whether or not the access 
requested will be permitted. It should t>e noted that, in 
accordance with the depicted embodiment of the pre- 
sent invention, only one Reference Monitor appli- 
cation is required for data processing system 8 ; 
however, two are illustrated. In accordance with the 
method of the present Invention, communications 
links between a single Reference Monitor application 
may be established with each and every resource 
manager within data processing system 8 (see Figure 
1 ) so that access to selected resource objects may be 
controlled in accordance with the access control infor- 
mation stored within the profiles within that Reference 
Monitor. 

In this manner, a user within Local Area Network 
(LAN) 32 may, via the communications links depicted 
withiri Figure 1, request access to a. resource, object 
54 associated with main frame computer 1 8. As wDI be 
explained in greater detail herein, resource manager 
52 will then query Reference Monitor 44 and/or Refer- 
ence Monitor 50 to determine whether or not a profile 
exists which permits the requested access. If so, the 
profile information is exchanged between the approp- 
riate Reference Monitor and resource manager 52 
and access to resource object 54 may be permitted. 

With reference now to Figure 3. there is depicted 
a high level flow chart illustrating the establishment of 
an access control system in accordance with the 
method of the present invention. As is illustrated, the 
process begins at block 60 and thereafter passes to 
block 62, which depicts the defining of an access con- 
trol profile for an object or group of objects, by the 
associated resource manager. Thereafter, block 64 
illustrates the storing of that profile within a Reference 
Monitor application. Next, block 66 illustrates a deter- 
mination of whether or not additional objects require 
an access control profile to be established and If so, 
the process returns to block 62 and continues there- 
after in an iterative fashion. 

In the event no additional resource objects 
require access control profQes, the process passes to 
block 68 which Olustrates the estat)Iishment by an 



associated resource manager of an access control 
profile for one or more users within the distributed 

5 data processing system. Thereafter, block 70 Qlus- 
trates the storing of the access control profile thus 
created In an associated Reference Monitor appll- 
catk)n. Block 72 next detemiines whether not 
additional users within the data processing system 

10 require access control profiles to be created. If so, as 
above, the process returns to Uock 68 to define the 
addittonal profiles. In the event no additional users 
require access control profiles, then the process ter- 
minates, as DIustrated in block 74. Of course, those 

IS skilled in the art will appreciate that in this manner it 
will be possit>le to create various access control pro- 
files which contain access control information relating 
to a single resource object,, a group, of resource^ 
objects, an indh^ldual user, a group of users, or, a pre- 

20 determined set of resource objects and a selected 
group of users. 

Finally, referring to Figure 4, there is depicted a 
high level flow chart depicting access to a resource 
object in accordance with the method of the present 

25 invention. As is aiustrated, the process begins at block 
80 and thereafter passes to block 82 whbh illustrates 
the receipt by a resource manager of an access 
request for a resource object withfai that, resource 
manager's purview. Next, the process passes to block 

30 84 which illustrates the query of the nearest Refer- 
ence Monitor application to determine whether or not 
an access control profile exists for the resource object 
or user in question. 

Block 86 next depicts a determination of whether 

35 or not the appropriate access control prof3e is defined 
locally and if so, block 88 illustrates a determination 
of whether or not access to the speciftc resource 
object is penm'itted. This determination is, as those 
skilled in the art will appreciate, simply a rnaXter of 

40 comparing the defined access control profile with the 
parameters of the resource object and the user In 
question. Thereafter, as illustrated in t>lock 90, if the 
determination of block 88 so permits, access to the 
resource object is provided and the process tenmn 

45 nates, as depicted in block 92. 

Returning to block 86, in the event an access con- 
trol profile is not defined locally, then block 94 Slus- 
trates a detenmlnation of whether or not an 
appropriate access control profile is defined any* 

so where within the system. If so, Irfock 96 depicts the 
retrieval of that proffle and the process then returns to 
block 88 for a determination of whettier or not access 
to the selected resource object is permitted. Thereaf- 
ter, if access is permitted, the process passes to block 

55 90 which illustrates the accessing of the resource 
object and the subsequent terminatk>n of the process. 

In the event the access control profile required is 
not defined anywhere within data processing system 
8, (see Figure 1) or access to the desffed resource 
object is not permitted, as illustrated by ttie determi- 
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nation within block 88, then block 98 depicts the denial 
of access to the requested resource object with an 
appropriate message to the requester. 5 

Upon reference to the foregoing, those skilled in 
the art will appreciate that by utilizing one or more 
Reference Monitor applications within a distributed 
data processing system, each containing one or more 
access control profiles relating to resource objects or to 
users, it will be possible to control access to a plurality 
of resource objects located within various subsec- 
tions of a distributed data processing system, without 
requiring each indhndual user within the distributed 
data processing system 8 to enroll with each resource is 
manager located at every point within the system. By 
permitting the rapid and efficient interchange of 
access control profiles containing access control 
information throughout the system, necessary access 
control decisions are made at a limited number of 20 
locations and the process is greatly enhanced in 
terms of efficiency. 



Claims 25 

1. A method of providing user access control for a 
plurality of resource objects within a distributed 
data processing system having a plurality of 
resource managers associated with said plurality 30 
of resource objects, said method comprising the 
steps of : 

storing a plurality of access control profiles 
within a reference monitor service (64) ; 

exchanging a selected access control pro- 35 
file between said reference monitor service and a 
selected resource manager in response to an 
attempted access of a particular resource object 
(82); and 

utilizing said resource manager to control 40 
access to said particular resource object in 
accordance with said selected access control 
profile (90, 98). 

2. The method according to Claim 1 wherein selec- 4S 
ted ones of sak) plurality of access control profiles 
each include access control infonmation relating 

to a selected user. 

3. The method according to Claim 1 wherein selec- so 
ted ones of said plurality of access control profiles 
each include access control infomiation relating 

to a selected resource object 

4. The method according to aaim 1 wherein seleo- 55 
ted ones of saM plurality of access control profiles 
each Include access control Infonmatlon relating 

to a selected group of users. 



ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected set of resource objects. 

6. The method according to Claim 1 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a predetermined set of resource objects and a 
selected list of users each authorized to access 
at least a portion of said predetermined set of 

• resource objects. 

7. A method of providing user access control for a 
plurality of resource objects within a distributed 
data processing system having a plurality of 
resource managers associated with said plurality 
of resource objects, saki method comprising the 
steps of: 

establishing a reference monitor service 
within said distributed data processing system ; 

storing a plurality of access control profiles 
within said reference monitor service ; 

exchanging a selectied access control pro- 
file between said reference monitor service and a 
selected resource manager in response to an 
attempted access of a particular resource bbject ; 
and 

utilizing said resource manager to contirol 
access to said particular resource object , in 
accordance with said selected access control 
profile. 

8. The metiiod according to Claim 7 wherein selec- 
ted ones of said plurality of access control profHes 
each include access control infonnation reiafing 
to a selected user. 

9. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected resource object. 

10. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected group of users. 

11. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected set of resource objects. 



5. The method according to Qatm 1 wherein seleo- 
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